A cache poisoning issue in Next.js App Router >=15.3.0 and < 15.3.3 may have allowed RSC payloads to be cached and served in place of HTML, under specific conditions involving middleware and redirects. This issue has been fixed in Next.js 15.3.3.
Users on affected versions should upgrade immediately and redeploy to ensure proper caching behavior.
More details: CVE-2025-49005
{ "nvd_published_at": "2025-07-03T21:15:26Z", "severity": "LOW", "github_reviewed_at": "2025-07-03T20:30:18Z", "github_reviewed": true, "cwe_ids": [ "CWE-444" ] }